Nigerian Fintech Companies Fined For Data-sharing Breach


Aug. 30, 2021, 11:41 a.m.

YETUNDE Adewole lost her phone in June. She got a replacement weeks later, including a new SIM card and everything went back to normal.

She didn’t give a thought to the missing phone or the SIM card until rumors started flying around in July.

Yetunde owed money. An online loan fintech company was sending WhatsApp and text messages to everyone in Yetunde’s inner circle that she was a debtor and fraudster.

Her close friends, former schoolmates, and work colleagues received these messages, three or four times daily.

“I tried explaining to everyone on my contact list, whom I could get in touch with, that I didn’t take any loan from the online loan company and it has not been easy trying to clear my name for something I didn’t do.

“It was a really traumatic experience. My biggest regret was failing to block the line when my phone went missing,” she told The ICIR.

Yetunde had never taken a loan from an online loan app, but she failed to block her SIM card after her phone went missing.

If a missing phone fell into the hands of a scammer, a transaction could be done on the account of the phone owner without his or her knowledge.

All the scammer who picked up Yetunde’s SIM card needed to do was, download the online loan app, enter a fictitious financial detail, and let the algorithm generate a credit rating.

The fintech creditor usually asks for permission to access the contacts on the SIM card before the loan is approved, a process that takes barely an hour.

The scammer used Yetunde’s SIM card to take multiple loans from several online loan apps which included: NairaPlus, EasyCredit, TrueNaira, GoCash, CashLion, and LCredit.

One month after, the online loan companies hounded Yetunde’s contacts, saying her payments for the loan were due.

She later reported the case to the law enforcement authorities and got a Police report and written affidavit.

The Police assured her of their intervention, promising that the messages by the fintech creditors to people on her contact list would cease.

Two weeks later, her friends still sent her screenshots of the threat messages by the fintech loan companies.

For thousands of Nigerians like Yetunde, whose identities were stolen by scammers, the online loan companies helped to publicly shame them without properly vetting their identities.

Do you have an article that can be relevant to the African Tech space?

Submit your news stories, articles or press releases to


A data-sharing breach

On August 17, the National Information and Technology Development Agency (NITDA), slammed Soko Lending Company, a Nigerian online lending platform, with a fine of ₦10 million for privacy invasion.

This was after a series of complaints against the company for unauthorized disclosures, failure to protect customers’ personal data, and defamation of character.

A key basis for the fine was the company’s ‘privacy-invading messages’ to defaulting customers’ contacts when they did not pay back loans.

This clearly violates Article 2.2 of the Nigeria Data Protection Regulation (NDPR), which bans illegal data sharing with third parties without a legal basis.

The ICIR reviewed the terms of service of six loan apps hosted on Google Play Store which included: NairaPlus, EasyCredit, TrueNaira, GoCash, CashLion, FairMoney, and LCredit.

They all failed to disclose to users downloading the apps that their rights of access to users’ contact lists would be shared with third parties if they defaulted. This does not conform to Google Play Store’s policies.

The updated data privacy policy on the Google Play Store stipulates that apps that offer financial services on its platform should disclose to users what it intends to use their personal information for.

“Your app must post a privacy policy that, together with any in-app disclosures, explain what user data your app collects and transmits, how it’s used, and the type of parties with whom it’s shared,” the policy reads.

A popular lending company Migo scans a person’s contacts to see if they include known debtors by embedding trackers on their phone in their mobile application without providing users’ information about it.

Findings by The ICIR show that recovery agents from the six loan apps engage in brazen violations of their client’s privacy by sending threatening messages to contacts of debtors when they default on their loan obligations.

Edna Inyang, a make-up artist in Abuja, said she got an online loan app from FairMoney but its conditions did not specify they would share their data with a third party when she defaulted.

“One of the conditions for the loan is that they would gain permission to my phone contacts, but they did not say they would share that confidential information with family, relatives or people on your contact list when I default,” she told The ICIR.

In January, a Twitter poll conducted by Techpoint revealed that 56.2 percent of Nigerians did not care about WhatsApp’s privacy update.

More than half of Africa’s 54 countries have no data protection or privacy laws, according to London-based rights group Article 19.

And while 14 countries do, nine have no regulators to enforce them, the group said.

Social shaming scheme

The online loan companies make use of the social networks of their customers to shame them, based on The ICIR findings.

Defaulting customers are sent messages such as “You will not be able to get a loan from us or any other loan company/bank again”, or “Your loan will be increasing every day by 5 per cent.”

Sometimes they use threatening messages like, “We are giving you till 4 pm to make your payment today or else.”

Udoma Nseobong had taken a N30,000 loan from CashLion Credit and he paid the weekly interest consistently for six weeks.

When it was time to pay, he defaulted by a day and cleared his debt the next day but the messages were sent to his family members nonetheless.

“I had some challenges that made me default for a day. The second day, even after I’d paid off with charges, I was declared a fraudster on the run with my entire family. I don’t know if the CBN is moderating the activities of these guys,” he said.

A user who identified herself as Feyisetan Salau claimed in the Google Play comments section of NairaPlus that she had been repeatedly contacted about an unpaid loan by representatives who used ‘abusive and threatening’ language and increased her interest rates.

“However, the loan recovery procedure/tactics this organisation employs is so unprofessional and appalling.Threat isn’t the way – be professional,” she added.

An anonymous University of Abuja student also said the texts cost him his relationship, and another user said his boss almost fired him for embarrassing the company.

There were countless complaints on the loan apps page on Google Play Store indicating deep grief those messages had caused.

To combat the debt collection methods by these companies, some people have started gaming the system.

A user said she wrote to her entire contact list to say that her phone had been stolen and that they should ignore any fraudster who might send text messages to them. Then she deleted the app.

While a user might be barred from borrowing from one loan company because of unpaid loans, for example, they could still easily get credit from a competitor.

Though the criticism of these practices has steadily grown, Titilayo Adetonya, a customer representative for CashLion who spoke to The ICIR, justified the methods of debt collection by online loan companies.

“There is no defamation of character involved when we trust people we’ve never seen by giving them money and when it’s time to pay they don’t pay.

“It’s lawful to send those messages to their contacts because we warn them before we send those messages to their contacts and that’s how we get our money,” she said.

A missing fintech link

In Nigeria, prospective customers seeking loans from online apps are expected to download the app, enter their financial details, and let the algorithm generate a credit rating.

Most apps ask for a Bank Verification Number (BVN) and a phone number link to the BVN.

The ICIR searched for the names of the six online loan apps on the Corporate Affairs Commission (CAC) database and their names were missing.

This makes it hard to know who exactly owns an app or even where the money for the loans is coming from.

However, they reveal the location of their physical addresses on their information page on the Google Play Store showing that they are based in Lagos.

The ICIR found out that the loan apps, CashLion, NairaPlus, and LCash, were all co-owned by Grola Tech Credit Limited, after tracking its debt collection team leader via a LinkedIn post.

Grola Tech Credit Limited was, however, registered on the CAC database with registration number 1636828 but identified as inactive by the commission. The directors of the company are Chinese national Du Yaoyao and a Nigerian Ayomikun Ogunkanmi

According to Section 58 of the Banks and other Financial Institutions Act (BOFIA), any person wishing to carry a financial business other than insurance and stockbroking in Nigeria shall apply in writing to the Central Bank of Nigeria (CBN) for the grant of a license.

It was not clear if the online loan companies failed to vet the scammers who used Yemisi’s phone number, or whether its rules were not stringent enough to detect dubious customers.

Scammers are likely to succeed unless the online loan companies introduce a high-level multi-factor authentication like pictures and fingerprints, Resources Manager at Fintech Association of Nigeria Seun Folorunso told The ICIR.

“Scammers take advantage of unsuspecting Nigerians who expose their data to extort these loan companies unless they introduce other high-level means of identification to stop them,” he added.


tag: news, Fintech,

ICIR Source